[kforge-dev] Re: [kforge-user] Installation and setup experiences + problems

• Previous message: [kforge-dev] Changeset [91]: Document weird bug found as a result of bizarre failure in tag.packages ...
• Next message: [kforge-dev] Changeset [1093]: Add explanatory comments on www.document_root and django.templates config ...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Gunnar,

Sorry not to write you back sooner...

Gunnar Johansson wrote:

> Hi,
>
> This will be a long posting, but I'd like to give some comments on my 
> experience so far. I also have some additional problems.


Thanks a lot for your long comments. I might not be able to write a full 
reply just now, but will try to follow this up with another email asap. 
Meanwhile....

>
> == Installation ==
>
> 1) When initially editing kforge.conf, it would be useful to point out 
> that the KForge web files (document_root) are installed in 
> /usr/local/share/kforge/www (by default). The same thing goes for the 
> django template files (templates_dir) which turns up in 
> /usr/local/share/kforge/templates/kui. This caused me some confusion 
> initiallly.


I agree with you. Let's do this....

>
> 2) When running kforge-admin with the --config parameter, the 
> path-to-config must be specified with the full absolute path (e.g 
> /etc/kforge.conf). The same is of course also true if you export 
> KFORGE_SETTINGS, but that's more obvious.


Yes, we could also write support for relative paths....

>
> == SSL ==
>
> One thing that troubles me is the use of virtual hosts for 
> admin/project subdomains. If you're running a public kforge server and 
> want full certificate trust, this will be a problem unless of course 
> you can afford a wildcard certificate. I see for example you're 
> running a certificate for project.knowledgeforge.net 
> <http://project.knowledgeforge.net> for both admin and project, which 
> causes warnings on admin. Would it be possible to add an option to use 
> for example a <domain>/admin and <domain>/project structure instead?


Yes, we should support this.

> This should be possible by simply changing the VirtualHost sections to 
> sets of Alias-es and <Directory ..> configurations, or is there 
> something more complex behind this?


I don't think so, but I didn't write much of the Apache config building.

> You probably would need to generate two different config-files, like 
> httpd.conf and ssl.conf and include your ssl.conf inside your 
> VirtualHost section for SSL, but I think it would be quite nice..


I agree.

>
> It's no high priority though, but have you thought anything about this 
> problem?


No I haven't, I didn't really write much the Apache config building 
code. Perhaps Rufus has thought something about it?

> == Permissions ==
>
> For us, it is vital that certain projects are inaccessible by non-members.


This is supposed to be supported already.... :-)

> I understand you have put a lot of effort in building user access 
> rights through the domain model, it looks like good work.


Thank you. That's really encouraging to hear.

> I really like the way services authenticate through your python 
> accesshandler. I have some problems though. According to 
> http://project.knowledgeforge.net/kforge/trac/wiki/KforgeGuide#RolesandPermissions, 
> a Visitor should not have access to project services. This restriction 
> works fine for svn, but not for trac. Is this a known problem?


I don't think so.... Unless it is the same problem we've had with 
knowledgeforge.net (where "closed" Trac services have been spammed). 
We're working on a fix for this.

> (I'm running kforge 0.12 stable).    This also leads to the next point..
>
>
> == SVN checkout ==
>
> Though browsing a repository through a web browser works fine when 
> logged in, I get an error when doing a 'svn co <URL>'. Note that I 
> first get a prompt stating the Authentication realm and a password 
> request for my user (gunjo):
>
> svn: PROPFIND of '': 500 internal server error
>
> The apache access log says:
>
> visitor [17/Feb/2007:19:39:20 +0100] "PROPFIND /gunnar/svn HTTP/1.1" 
> 401 526 "-" "SVN/1.4.2 (r22196) neon/0.25.5"
> gunjo [17/Feb/2007:19:39:23 +0100] "PROPFIND /gunnar/svn HTTP/1.1" 500 
> 661 "-" "SVN/1.4.2 (r22196) neon/0.25.5"
>
> The kforge.log says:
>
> [2007-02-17 19:39:20,432] Access Denied: Person 'visitor' to 'Read' 
> object '<Plugin id='3' dateCreated='2007-02-17 16:48:46' name='svn'>': 
> Access not authorised, by default.
> [2007-02-17 19:39:23,706] Access Denied: Person 'visitor' to 'Read' 
> object '<Plugin id='3' dateCreated='2007-02-17 16:48:46' name='svn'>': 
> Access not authorised, by default.
>
> And the apache error log says:
>
> [Sat Feb 17 19:39:23 2007] [error] [client ] (9)Bad file descriptor: 
> Could not open password file: (null)
>
> Any thoughts?


I'm sorry to say this :-) but are you sure you got the password and 
username right? The 500 error and the bad file descriptor error indicate 
some catastrophe (perhaps as if something is excepting and the access 
control code is swallowing an exception, but we don't use password 
files....), but the kforge.log would indicate that your authentication 
failed, rather than not being a member of a project with a sufficient 
role. As I'm sure you know, svn will by default take the kforge username 
as your unix username, but that might not be the username of your kforge 
account. Please do check this, and let me know? Otherwise I'd say 
there's a bug of some sort.

> Sorry for the lengthy mail, but I like your system, and would really 
> like to see it work for me  :-)


No problem, thanks for your nice message, I hope we can sort you out soon.

Best wishes,  John.

>
> Regards,  Gunnar
>

• Previous message: [kforge-dev] Changeset [91]: Document weird bug found as a result of bizarre failure in tag.packages ...
• Next message: [kforge-dev] Changeset [1093]: Add explanatory comments on www.document_root and django.templates config ...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]